During security research in April 2019, I have discovered that the common OLED SSD1306-like displays used in many cryptocurrency hardware wallets and other embedded devices are leaking information about the display contents towards the USB interface from which the device is powered. This represents an interesting side channel that had so far not been discovered by other vendors and researchers.
Illuminating the OLED pixels takes a comparably large amount of current per pixel and this type of display illuminates pixels on a line-by-line basis. As a result, there is a strong electrical side channel for the display contents through the current fluctuations on the USB power line that can be measured without hardware modifications to the device itself.
Here is a graphical representation of the effect on an unmodified KeepKey, traced over 2½ display cycles:
Security implications, attack scenario, mitigations
The side channel is relevant since the security design of this class of devices is built to some degree on the assumption that the display contents are readable by the user, but unreadable to other involved electronics. If this confidentiality assumption does not hold in practice, there is the possibility that malicious equipment is able to recover significant portions of PIN codes or BIP39 mnemonic words.
Many of the relevant technical aspects and implications are described in the Trezor blog article on the issue that I have co-written.
I will present more details and attack scenario considerations via additions to this post and later articles.
Power analysis shows this correlation on the BIP39 secret word display of the Trezor One.
“weird” (yellow) vs. “cram” (orange):
“weird” (yellow) vs. “zoo” (orange):
“century” (yellow) vs. “cram” (orange):
From April to August 2019, I’ve analyzed a number of devices for their susceptibility to this attack and responsibly disclosed the issue to the affected vendors. Coordinating the disclosure of an hardware vulnerability among multiple competing vendors is not a straightforward process and there were a number of challenges along the way. I may write about them at some point in the future.
I initially requested a CVE ID from MITRE in July.
Due to CVE Numbering Authority rules, the vulnerability was split into individual CVEs on a per-vendor basis:
|CVE-2019-14354||Ledger Nano S, Ledger Nano X||1|
|CVE-2019-14356||Coldcard MK1, Coldcard MK2||1|
|CVE-2019-14359||BC Vault||minor security impact due to lack of secrets on the screen||1|
|CVE-2019-14360||Hyundai-Pay Kasse HK-1000||-|
|CVE-2019-18673||Shift Cryptosecurity BitBox02||1|
There are at least two additional products that may be affected in some form, but the vendors have not shown any interest in the issue.
|2019-04-08||Information leak first discovered during Trezor One research|
|2019-04-08||Initial disclosure to SatoshiLabs|
|2019-04-29||Received KeepKey hardware|
|2019-05-02||Initial disclosure to ShapeShift (KeepKey)|
|2019-05-04||First communication attempt with Archos|
|2019-05-07||Initial disclosure to Ledger for Nano S, reference to Nano X|
|2019-05-08||Initial disclosure to Mooltipass|
|2019-05-08||Initial disclosure to Coinkite|
|2019-05-12||First communication attempt with Hyundai-Pay|
|2019-05-15||Ledger informed of initial Nano X results|
|2019-05-29||Ledger requests 90 days embargo (starting from early May)|
|2019-07-23||CVE assignment requested|
|2019-07-28||CVE assigned by MITRE|
|2019-08-07||End of the coordinated embargo date, public disclosure|
This list is incomplete and will be extended.
During this research, I have received a test device from the following vendors:
- 1x Nano X from Ledger
- 1x BC Vault from REAL Security
- 1x Mooltipass from Stephan Electronics
- 1x BitBox02 from Shift Cryptosecurity
This was done mainly to speed up the analysis on devices with slow shipping or difficult availability.
Relevant hardware gifts from previous research:
- SatoshiLabs - multiple Trezor One devices
- ShapeShift - 3x KeepKey devices (part of a previous bug bounty)